_ _
_/B\_ _/W\_
(* *) Phrack #64 file 4 (* *)
| - | | - |
| | A brief history of the Underground scene | |
| | | |
| | By The Circle of Lost Hackers | |
| | | |
| | Duvel@phrack.org | |
(____________________________________________________)
--[ Contents
1. Introduction
2. The security paradox
3. Past and present Underground scene
3.1. A lack of culture and respect for ancient hackers
3.2. A brief history of Phrack
3.3. The current zombie scene
4. Are security experts better than hackers?
4.1. The beautiful world of corporate security
4.2. The in-depth knowledge of security conferences
5. Phrack and the axis of counter attacks
5.1. Old idea, good idea
5.2. Improving your hacking skills
5.3. The Underground yellow pages
5.4. The axis of knowledge
5.4.1. New Technologies
5.4.2. Hidden and private networks
5.4.3. Information warfare
5.4.4. Spying System
6. Conclusion
--[ 1. Introduction
"It's been a long long time,
I kept this message for you, Underground
But it seems I was never on time
Still I wanna get through to you, Underground..."
I am sure most of you know and love this song (Stir it Up). After all,
who doesn't like a Bob Marley song? The lyrics of this song fit very well
with my feeling : I was never on time but now I'm ready to deliver you
the message.
So what is this article about? I could write another technical article
about an eleet technique to bypass a buffer overflow protection, how to
inject my magical module in the kernel, how to reverse like an eleet or
even how to make a shellcode for a not-so-famous OS. But I won't. There
are some other people who can do it much better than I could.
But it is the reason not to write a technical article. The purpose of
this article is to launch an SOS. An SOS to the scene, to everyone, to all
the hackers in the world. To make all the next releases of Phrack better
than ever before. And for this I don't need a technical article. I need
what I would call Spirit.
Do you know what I mean by the word spirit?
--[ 2. The security paradox.
There is something strange, really strange. I always compare the
security world with the drug world. Take the drugs world, on the one side
you have all the "bad" guys: cartels, dealers, retailers, users... On
the other side, you have all the "good" guys: cops, DEA, pharmaceutical
groups creating medicines against drugs, president of the USA asking for
more budget to counter drugs... The main speech of all these good guys
is : "we have to eradicate drugs!". Well, why not. Most of us agree.
But if there is no more drugs in the world, I guess that a big part
of the world economy would fall. Small dealers wouldn't have the money to
buy food, pharmaceutical groups would loose a big part of their business,
DEA and similar agencies wouldn't have any reason to exist. All the
drugs centers could be closed, banks would loose money coming from the
drugs market. If you take all thoses things into consideration, do
you think that governments would want to eradicate drugs? Asking the
question is probably answering it.
Now lets move on to the security world.
On the one side you have a lot of companies, conferences,
open source security developers, computer crime units... On the
other side you have hackers, script kiddies, phreackers.... Should
I explain this again or can I directly ask the question? Do you really
think that security companies want to eradicate hackers?
To show you how these two worlds are similar, lets look at another
example. Sometimes, you hear about the cops arrested a dealer, maybe a
big dealer. Or even an entire cartel. "Yeah, look ! We have arrested a
big dealer ! We are going to eradicate all the drugs in the world!!!". And
sometimes, you see a news like "CCU arrests Mafiaboy, one of the best
hacker in the world". Computer crime units and DEA need publicity - they
arrest someone and say that this guy is a terrorist. That's the best way
to ask for more money. But they will rarely arrest one of the best hackers
in the world. Two reasons. First, they don't have the intention (and if
they would, it's probably to hire him rather than arrest him). Secondly,
most of the Computer Crime Units don't have the knowledge required.
This is really a shame, nobody is honest. Our governments claim that
they want to eradicate hackers and drugs, but they know if there were
no more hackers or drugs a big part of the world economy could fall. It's
again exactly the same thing with wars. All our presidents claim that we
need peace in the world, again most of us agree. But if there are no more
wars, companies like Lockheed Martin, Raytheon, Halliburton, EADS, SAIC...
will loose a huge part of their markets and so banks wouldn't have
the money generated by the wars.
The paradox relies in the perpetual assumption that threat is
generated from abuses where in fact it might comes from inproper
technological design or money driven technological improvement where the
last element shadows the first. And when someone that is dedicated enough
digs it, we have a snowball effect, thus every fish in the pound at one
time or an other become a part of it.
And as you can see, this paradox is not exclusive to the security
industry/underground or even the computer world, it could be considered
as the gold idol paradox but we do not want to get there.
In conclusion, the security world need a reason to justify its
business. This reason is the presence of hackers or a threat (whatever
hacker means), the presence of an hackers scene and in more general terms
the presence of the Underground.
We don't need them to exist, we exist because we like learning,
learning what we are not supposed to learn. But they give us another good
reason to exist. So if we are "forced" to exist, we should exist in
the good way. We should be well organized with a spirit that reflect our
philosophy. Unfortunately, this spirit which used to characterized us is
long gone...
--[ 3. Past and Present Underground scene
The "scene", this is a beautiful word. I am currently in a country
very far away from all of your countries, but it is still an
industrialized country. After spending some months in this country, I found
some old-school hackers. When I asked them how the scene was in their
country, they always answered the same thing: "like everywhere, dying". It's
a shame, really a shame. The security world is getting larger and larger and
the Underground scene is dying.
I am not an old school hacker. I don't have the pretension to claim
it I would rather say that I have some old-school tricks or maybe that my
mind is old-school oriented, but that's all. I started to enjoy the
hacking life more or less 10 years ago. And the scene was already dying.
When I started hacking, like a lot of people, I have read all the past
issues of Phrack. And I really enjoyed the experience. Nowadays,
I'm pretty sure that new hackers don't read old Phrack articles anymore.
Because they are lazy, because they can find information elsewhere,
because they think old Phracks are outdated... But reading old Phracks is
not only to acquire knowledge, it's also to acquire the hacking spirit.
----[ 3.1 A lack of culture and respect for ancient hackers
How many new hackers know the hackers history? A simple example is
Securityfocus. I'm sure a lot of you consult its vulnerabilities
database or some mailing list. Maybe some of you know Kevin Poulsen who
worked for Securityfocus for some years and now for Wired. But how many of
you know his history? How many knew that at the beginning of the 80's he
was arrested for the first time for breaking into ARPANET? And that he
was arrested a lot more times after that as well. Probably not a lot
(what's ARPANET after all...).
It's exactly the same kind of story with the most famous hacker in
the world: Kevin Mitnick. This guy really was amazing and I have a
total respect for what he did. I don't want to argue about his present
activity, it's his choice and we have to respect it. But nowadays,
when new hackers talk about Kevin Mitnick, one of the first things I
hear is : "Kevin is lame. Look, we have defaced his website, we are much
better than him". This is completely stupid. They have probably found a
stupid web bug to deface his website and they probably found the way to
exploit the vulnerability in a book like Hacking Web Exposed. And after
reading this book and defacing Kevin's website, they claim that Kevin
is lame and that they are the best hackers in the world... Where are we
going? If these hackers could do a third of what Kevin did, they would
be considered heroes in the Underground community.
Another part of the hacking culture is what some people name "The
Great Hackers War" or simply "Hackers War". It happened 15 years ago
between probably the two most famous (best?) hackers group which had
ever existed: The Legion of Doom and Master of Deception. Despite that
this chapter of the hacking history is amazing (google it), what I
wonder is how many hackers from the new generation know that famous
hackers like Erik Bloodaxe or The Mentor were part of these groups.
Probably not a lot. These groups were mainly composed of skilled and
talented hackers/phreackers. And they were our predecessor. You can still
find their profiles in past issues of Phrack. It's still a nice read.
Let's go for another example. Who knows Craig Neidorf? Nobody? Maybe
Knight Lightning sounds more familiar for you... He was the first editor
in chief of Phrack with Taran King, Taran King who called him his
"right hand man". With Taran King and him, we had a lot of good articles,
spirit oriented. So spirit oriented that one article almost sent him
to jail for disclosing a confidential document from Bell South.
Fortunately, he didn't go in jail thanks to the Electronic Frontier
Foundation who preached him. Craig wrote for the first time in Phrack
issue 1 and for the last time in Phrack issue 40. He is simply the best
contributor that Phrack has ever had, more than 100 contributions. Not
interesting? This is part of the hacking culture.
More recently, in the 90's, an excellent "magazine" (it was more a
collection of articles) called F.U.C.K. (Fucked Up College Kids) was
made by a hacker named Jericho... Maybe some new hackers know Jericho for
his work on Attrition.org (that's not sure...), but have you already taken
time to check Attrition website and consult all the good work that Jericho
and friends do? Did you know that Jericho wrote excellent Phrack World
News under the name Disorder 10 years ago (and trust me his news were
great) ? Stop thinking that Attrition.org is only an old dead mirror of
web site defacements, it's much more and it's spirit oriented.
Go ask Stephen Hawking if knowing the scientific story is not
important to understand the scientific way/spirit... Do you think that
Stephen doesn't know the story of Aristotle, Galileo, Newton or Einstein ?
To help wannabe hackers, I suggest that they read "The Complete
History of Hacking" or "A History of Computer Hacking" which are very
interesting for a first dive in the hacking history and that can easily be
found with your favorite search engine.
Another good reading is the interview of Erik Bloodaxe in 1994
(http://www.eff.org/Net_culture/Hackers/bloodaxe-goggans_94.interview)
where Erik said something really interesting about Phrack:
"I, being so ridiculously nostalgic and sentimental, didn't want to see
it (phrack) just stop, even though a lot of people always complain about
the content and say, "Oh, Phrack is lame and this issue didn't have enough
info, or Phrack was great this month, but it really sucked last month."
You know, that type of thing. Even though some people didn't always
agree with it and some people had different viewpoints on it, I really
thought someone needed to continue it and so I kind of volunteered for
it."
It's still true...
----[ 3.2 A brief history of Phrack
Let's go for a short hacking history course and let's take a look at
old Phracks where people talked about the scene and what hacking is.
Phrack 41, article 1:
---------------------
"The type of public service that I think hackers provide is not showing
security holes to whomever has denied their existence, but to merely
embarrass the hell out of those so-called computer security experts
and other purveyors of snake oil."
This is true, completely true. This is closely related to what I said
before. If there are no hackers, there are no security experts. They
need us. And we need them. (We are family)
Phrack 48, article 2:
---------------------
At the end of this article, there is the last editorial of Erik
Bloodaxe. This editorial is excellent, everyone should read it. I will
just reproduce some parts here:
"... The hacking subculture has become a mockery of its past self.
People might argue that the community has "evolved" or "grown" somehow,
but that is utter crap. The community has degenerated. It has become a
media-fueled farce. The act of intellectual discovery that hacking once
represented has now been replaced by one of greed, self-aggrandization
and misplaced post-adolescent angst... If I were to judge the health of
the community by the turnout of this conference, my prognosis would be
"terminally ill."..."
And this was in 1996. If we ask to Erik Bloodaxe now what he thinks
about the current scene, I'm pretty sure he would say something
like: "irretrievable" or "the hacking scene has reached a point of no
return".
"...There were hundreds of different types of systems, hundreds
of different networks, and everyone was starting from ground zero.
There were no public means of access; there were no books in stores or
library shelves espousing arcane command syntaxes; there were no classes
available to the layperson. ..."
Have you ever heard of a "hackademy"? Nowadays, if you want to be a
hacker it's really easy. Just go to a hacker school and they will teach
you some of the more eleet tricks in the world. That's the new hacker way.
"Hacking is not about crime. You don't need to be a criminal to be
a hacker. Hanging out with hackers doesn't make you a hacker any more
than hanging out in a hospital makes you a doctor. Wearing the t-shirt
doesn't increase your intelligence or social standing. Being cool doesn't
mean treating everyone like shit, or pretending that you know more than
everyone around you."
So what is hacking? My point of view is that hacking is a philosophy,
a philosophy of life that you can apply not only to computers but to
a lot of things. Hacking is learning, learning computers, networks,
cryptology, telephone systems, spying system and agencies, radio, what
our governments hide... Actually all non-conventional subjects or what
could also be called a third eye view of the context.
"There are a bunch of us who have reached the conclusion that the "scene"
is not worth supporting; that the cons are not worth attending; that the
new influx of would-be hackers is not worth mentoring. Maybe a lot of us
have finally grown up."
Here's my answer to Erik 10 years later: "No Eric, you hadn't finally
grown up, you were right." Erik already sent an SOS 10 years ago and
nobody heard it.
Phrack 50, article 1:
---------------------
"It seems, in recent months, the mass media has finally caught onto
what we have known all along, computer security _IS_ in fact important.
Barely a week goes by that a new vulnerability of some sort doesn't pop up
on CNN. But the one thing people still don't seem to fathom is that _WE_
are the ones that care about security the most... We aren't the ones that
the corporations and governments should worry about... We are not
the enemy."
No, we are not the enemy. But a lot of people claim that we are and
some people even sell books with titles like "Know your enemy". It's
probably one of the best ways to be hated by a lot of hackers. Don't be
surprised if there are some groups like PHC appearing after that.
Phrack 55, article 1:
---------------------
Here I will show you the arrogance of the not-so-far past editor,
answering some comments:
"...Yeah, yeah, Phrack is still active you may say. Well let me tell
you something. Phrack is not what it used to be. The people who make
Phrack are not Knight Lightning and Taran King, from those old BBS
days. They are people like you and me, not very different, that took
on themselves a job that it is obvious that is too big for them. Too
big? hell, HUGE. Phrack is not what it used to be anymore. Just try
reading, let's say, Phrack 24, and Phrack 54..."
And the editor replied (maybe Route):
"bjx of "PURSUiT" trying to justify his `old-school` ezine. bjx wrote
a riveting piece on "Installing Slackware" article. Fear and respect
the lower case "i"".
This is a perfect example of how the Underground scene has grown up in
the last few years. We can interpret editor's answer like "I'm writing
some eleet articles and not you, so I don't have to take into
consideration your point of view". But it was a really pertinent remark.
Phrack 56, article 1:
------------------------------
Here is another excellent example to show you the arrogance of the
Underground scene. Again, it's an answer to a comment from someone:
"...IMHO it hasn't improved. Sure, some technical aspects of the
magazine have improved, but it's mostly a dry technical journal these
days. The personality that used to characterize Phrack is pretty much
non-existant, and the editorial style has shifted towards one of `I know
more about buffer overflows than you` arrogance. Take a look at the Phrack
Loopback responses during the first 10 years to the recent ones. A much
higher percentage of responses are along the lines of `you're an idiot,
we at Phrack Staff are much smarter than you.`..."
And the reply:
" - Trepidity <delirium4u@theoffspring.net> apparently still bitter at
not being chosen as Mrs. Phrack 2000."
IMHO, Trepidity's remark was probably the best remark for a long long
time.
Let's stop this little history course. I have showed you that I'm
not alone in my reflection and that there is something wrong with the
current disfunctional scene. Some people already thought this 10 years ago
and I know that a lot of people are currently thinking exactly the same
thing. The scene is dying and its spirit is flying away.
I'm not Erik Bloodaxe, I'm not Voyager or even Taran King ... I'm
just me. But I would like to do something like 15 years ago, when the
word hacking was still used in the noble sense. When the spirit was still
there. We all need to react together or the beast will eat whats left
of the spirit.
----[ 3.3 The current zombie scene
"A dead scene whose body has been re-animated but whose the spirit
is lacking".
I'm not really aware of every 'groups' in the world. Some people are
much more connected than me. And to be honest, I knew the scene better 5
years ago than I do now. But I will try to give you a snapshot of what
the current scene is. Forgive me in advance for the groups that I will
forget, it's really difficult to have an accurate snapshot. The best way
to have a snapshot of the current scene is probably to use an algorithm
like HITS which allow to detect a web community. But unfortunately I don't
have time to implement it.
So the current scene for me is like a pyramid and it's organized
like secret societies. I would like to split hackers groups in 3
categories. In order to not give stupid names to these groups I will call
them layer 1 group, layer 2 group and layer 3 group. In the layer 1, 5
years ago, you had some really "famous" groups which were, I think,
composed of talented people. I will split this layer into two categories:
front-end groups and back-end groups. Some of the groups I called
front-end are: TESO, THC, w00w00, Phenoelit or Hert. Back-end groups
include ADM, Synergy, ElectronicSouls or Devhell. And you also have PHC
that you can include in both categories (you know guys you have your
entry in Wikipedia!). And at the top of that (but mainly at the top of
PHC) you had obscure/eleet groups like AB.
In the layer 2, I would like to include a lot of groups of less
scale but I think which are trying to do good stuff. Generally, these
groups have no communication with layer 1 groups. These groups are: Toxyn,
Blackhat.be, Netric, Felinemenace, S0ftpj (nice mag), Nettwerked
(congratulation for the skulls image guys!), Moloch, PacketWars,
Eleventh Alliance, Progenic, HackCanada, Blacksecurity, Blackclowns or
Aestetix. You can still split these groups into two categories, front-end
and back-end. Back-end are Toxyn or Blackat.be, others probably front-end.
Beside these groups, you have a lot of wannabe groups that I'd like to
include in layer 3, composed of new generation of hackers. Some of these
groups are probably good and I'm sure that some have the good hacking
spirit, but generally these groups are composed of hackers who learned
hacking in a school or by reading hackers magazine that they find in
library. When you see a hacker arrested in a media, he generally comes
from one of these unknown groups. 20 years ago, cops arrested hackers
like Kevin Mitnick (The Condor), Nahshon Even-Chaim (Phoenix, The Realm),
Mark Abene (Phiber Optik, Legion of Doom) or John Lee (Corrupt, Master
of Deception), now they arrest Mafia Boy for a DDOS...
There are also some (dead) old school groups like cDc, Lopht or
rhino9, independent skilled guys like Michal Zalewski or Silvio Cesare,
research groups like Lsd-pl and Darklab and obscure people like GOBBLES,
N3td3v or Fluffy Bunny :-) And of course, I don't forget people who are
not affiliated to any groups.
You can also find some central resources for hackers or phreackers
like Packetstorm or Phreak.org, and magazine oriented resources like
Pull the Plug or Uninformed.
In this wonderful world, you can find some self proclaimed eleet
mailing list like ODD.
We can represent all these groups in a pyramid. Of course, this
pyramid is not perfect. So don't blame me if you think that your groups
is not in the good category, it's just a try.
The Underground Pyramid
_
/ \
/ \
/ \
/ \
/ \ <-- More eleet hackers in
/ \ / \ the world. Are you in?
/ -(o)- \
/ / \ \
/ \
/ \
/_____________________\
/ \ <-- skilled hackers
/ AB, Fluffy Bunny, ... \ hacking mainly
/___________________________\ for fun
/ | | | \
/ PHC | TESO | ADM | cDc \ <-- Generally
/ EL8 | THC | Synergy | Lopht \ excellent skills
/ GOBBLES| WOOWOO| Devhell | rhino9 \ some groups have
/ ... | ... | ... | .... \ the good spirit
/_______________________________________\
/ | \
/ Blackhat.be | HackCanada \ <-- good skills,
/ Toxyn | Felinemenace \ some are
/ ... | Netric \ very
/ | ... \ original
/___________________________________________________\
/ \
/ WANABEE GROUPS \ <-- newbies
/_________________________________________________________\
/ \ <-- info
/ Resources: 2600,Phrack, PacketStorm, Phreak.org, Uniformed, \ for
/ PTP, ... \ all
/_________________________________________________________________\
All of these people make up the current scene. It's a big mixture
between white/gray/black hats, where some people are white hat in the day
and black hat at night (and vice-versa). Sometimes there are communication
between them, sometimes not. I also have to say that it's generally the
people from layer 1 groups who give talks to security conferences around
the world...
It's really a shame that PHC is probably the best ambassador of the
hacking spirit. Their initiative was great and really interesting.
Moreover they are quite funny. But IMHO, they are probably a little too
arrogant to be considered like an old spirit group.
Actually, the bad thing is that all these people are more or less
separate and everyone is fighting everyone else. You can even find some
hackers hacking other hackers! Where is the scene going? Even if you are
technically very good, do you have to say to everyone that you are
the best one and naming others as lamerz? The new hacker generation
will never understand the hacking spirit with this mentality.
Moreover the majority of hackers are completely disinterested by
alternate interesting subjects addressed for example in 2600 magazine or
on Cryptome website. And this is really a shame because these two media
are publishing some really good information. Most hackers are only
interested by pure hacking techniques like backdooring, network
exploitation, client vulnerabilities... But for me hacking is closely
related to other subjects like those addressed on Cryptome website. For
example the majority of hackers don't know what SIPRnet is. There is only
one reference in Phrack, but there are several articles about SIPRnet in
2600 magazine or on Cryptome website. When I want to discuss about all
these interesting subjects it's really difficult to find someone in the
scene. And to be honest the only people that I can find are people away
from the scene. The majority of hackers composing the groups I mentioned
above are not interested by these subjects (as far as I know). Old school
hackers in 80's or 90's were more interested by alternated subjects than
the new generation.
In conclusion, firstly we have to get back the old school hacking
spirit and afterwards explain to the new generation of hackers what it is.
It's the only way to survive. The scene is dying but I won't say
that we can't do anything. We can do something. We must do something.
It's our responsibility.
--[ 4 Are security experts better than hackers?
STOP!!!!! I do not want to say that security experts are better than
hackers. I don't think they are, but to be honest it's not really
important. It's nonsense to ask who is better. The best guy, independent
from the techniques he used, is always the most ingenious. But there
are two points that I would like to develop.
----[ 4.1 The beautiful world of corporate security
I met a really old school hacker some months ago, he told me something
very pertinent and I think he was right. He told me that the technology
has really changed these last years but that the old school tricks still
work. Simply because the people working for security companies don't
really care about security. They care more about finding a new eleet
technique to attack or defend a system and presenting it to a security
conference than to use it in practice.
So Underground, we have a problem. A major problem. 15 years ago,
there were a lot of people working for the security industry. At times,
there also were a lot of people working in what I will call the
Underground scene. No-one can estimate the percentage in each camp, but
I would say it was something like 60% working in security and 40% working
in the Underground scene. It was still a good distribution. Nowadays, I'm
not sure it's still true. A better estimation should be 80/20 orientated
to security or maybe even worse... There are increasingly more and more
people working for the security world than for the Underground scene. Look
at all these "eleet" security companies like ISS, Core Security, Immunity,
IDefense, eEye, @stake, NGSSoftware, Checkpoint (!), Counterpane, Sabre
Security, Net-Square, Determina, SourceFire...I will stop here otherwise
Google will make some publicity for these companies. All these security
companies have hired and still hire some hackers, even if they will say
that they don't. Sometimes, they don't even know they hired a hacker. How
many past Phrack writers work for these companies? My guess is a lot,
really a lot. After all, you can't stop a hacker if you have never been
one...
You'll tell me: "that's normal, everyone has to eat". Yeah, that's
true. Everyone has to eat. I'm not talking about that. What I don't like
(even if we do need these good and bad guys) is all the stuff around the
security world: conferences, (false) alerts, magazines, mailing lists,
pseudo security companies, pseudo security websites, pseudo security
books...
Can you tell me why there is so much security related stuff and not
so much Underground related stuff?
--[ 4.2 The in-depth knowledge of security conferences
If you have a look at all the topics addressed in a security
conference, it's amazing. Take the most famous conferences: *Blackhat,
*SecWest or even Defcon (I mention only marketing conferences, there are
others good conferences that are less corporate/business oriented like
CCC, PH neutral, HOPE or WTH). Now look at the talks given by the
speakers, they're really good. When I went to a security conference 5
years ago it was so funny, I was saying to my friends: "these guys are
5 years late". It was true then but I think it's not true anymore. They
are probably still late, but not as late as they were. But the most
relevant point for me is that recently there have been a lot of very
interesting subjects. OK not everything was interesting - there were
some shit subjects too. What I would consider as interesting subjects
are those related to new technologies (VOIP, WEB 2.0, RFID, BlackBerry,
GPS...) or original topics like hardware hacking, BlackOps, agency
relationships, SE story, bioinfo attack, nanotech, PsyOp... What the
Fuck ?!#@?! 10 years ago, all the original topics were released in an
Underground magazine like Phrack or 2600. Not in a security conference
where you have to pay more than $1000.
This is not my idea of what hacking should be. Do you really need
publicity like this to feel good? This is not hacking. I'm not talking
here about the core but the form. When I'm coding something at home all
night and in the morning it works, it's really exciting. And I don't
have to say to everyone "look at what I did!". Especially not in public
where people have to pay more than $1000 to hear you.
Another incredible thing about these security conferences is what I
would call the "conference circuit". Nowadays, if you are a security
expert, the trend is to give the same talk at different security
conferences around the world. More than 50% of all security experts are
doing this. They go in America at BlackHat, Defcon and CanSecWest, after
they move in Europe and they finish in Asia or Australia. They can even
do BlackHat America, BlackHat Europe and BlackHat Asia! Like Roger
Federer or Tiger Woods, they try to do the Grand Slam! So you can find
a conference given in 2007 which is more or less the same than one in
2005. Thus it seems we have now a new profession in our wonderful
security world: "conferences runner" !
Last funny thing is the number of conferences that I will include in
the category "How to hack the system XXX". For example at the last
Blackhat USA there was a conference on how to hack an embedded device,
for example printers and copiers. Despite the fact that it's interesting
(collecting document printed), what I find funny is the fact that you
just have to hack a non conventional device to be at Blackat or Defcon.
So, I will give some good advice to hackers who want to become famous:
try to hack the coffee machine used by the FBI or the embedded device
used by the lift of the Pentagon and everyone will see you as a hero
or a terrorist (thats context based).
--[ 5. Phrack and the axis of counter-attack
Now that I have given you an overview of the security world, let's
try to see how we can change it. There are two possibilities here. The
first one is this:- I say to you "OK now that you really understand the
problem, it's definitely time to change our mentality. This is the new
mind set that we have to adopt". It's a little bit pretentious to say
this though. Nobody can solve the problem alone and pretend to bring the
good solution. So I guess that the first possibility won't work. People
will agree but nobody will do anything.
The second possibility is to start with Phrack. All the people who
make up The Circle of Lost Hackers agree that Phrack should come back to
its past style when the spirit was present. We really agree with the quote
above which said that Phrack is mainly a dry technical journal. It's
why we would like to give you some idea that can bring back to Phrack its
bygone aura. Phrack doesn't belong to a group a people, Phrack belongs to
everyone, everyone in the Underground scene who want to bring something
for the Underground. After all, Phrack is a magazine made by the community
for the community.
We would like to invite everyone to give their point of view about the
current scene and the orientation that Phrack should take in the future.
We could compile a future article with all your ideas.
----[ 5.1. Old idea, good idea
If you take a look at the old Phrack, there are some recurring
articles :
* Phrack LoopBack
* Line noise
* Phrack World News
* Phrack Prophiles
* International scenes
Here's something funny about Phrack World News, if you take a look
at Phrack 36 it was not called "Phrack World News" but instead it was
"Elite World News"...
So, all these articles were and are interesting. But in these
articles, we would like to resuscitate the last one: "International
scenes". A first essay is made in this issue, but we would like people
to send us a short description of their scene. It could be very
interesting to have some descriptions of scenes that are not common,
for example the China scene, the Brazilian scene, the Russian scene,
the African scene, the Middle East scene... But of course we are also
interested in the more classic scenes like Americas, GB, France, Germany,
... Everything is welcome, but hackers all over the world are not only
hackers in Europe-Americas, we're everywhere. And when we talk about the
Underground scene, it should include all local scenes.
----[ 5.2. Improving your hacking skills
Here we would like to start a new kind of article. An article whose
purpose is to give to the new generation of hackers some different little
tricks to hack "like an eleet". This article will be present in every
new issue (at least until it's dead ... we hope not soon). The idea is
to ask to everyone to send us their tricks when they hack something
(it could be a computer or not). The tricks should be explained in no
more than 30 lines, and it could even be one line. It could be an eleet
trick or something really simple but useful. Example:
An almost invisible ssh connection
----------------------------------
In the worse case if you have to ssh on a box, do it every time
with no tty allocation
ssh -T user@host
If you connect to a host with this way, a command like "w" will not
show your connection. Better, add 'bash -i' at the end of the command to
simulate a shell
ssh -T user@host /bin/bash -i
Another trick with ssh is to use the -o option which allow you to
specify a particular know_hosts file (by default it's ~/.ssh/know_hosts).
The trick is to use -o with /dev/null:
ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -i
With this trick the IP of the box you connect to won't be logged in
know_hosts.
Using an alias is a good idea.
Erasing a file
--------------
In the case of you have to erase a file on a owned computer, try
to use a tool like shred which is available on most of Linux.
shred -n 31337 -z -u file_to_delete
-n 31337 : overwrite 313337 times the content of the file
-z : add a final overwrite with zeros to hide shredding
-u : truncate and remove file after overwriting
A better idea is to do a small partition in RAM with tmpfs or
ramdisk and storing all your files inside.
Again, using an alias is a good idea.
The quick way to copy a file
----------------------------
If you have to copy a file on a remote host, don't bore yourself with
an FTP connection or similar. Do a simple copy and paste in your Xconsole.
If the file is a binary, uuencode the file before transferring it.
A more eleet way is to use the program 'screen' which allows copying a
file from one screen to another:
To start/stop : C-a H or C-a : log
And when it's logging, just do a cat on the file you want to transfer.
Changing your shell
-------------------
The first thing you should do when you are on an owned computer is to
change the shell. Generally, systems are configured to keep a history for
only one shell (say bash), if you change the shell (say ksh), you won't be
logged.
This will prevent you being logged in case you forget to clean
the logs. Also, don't forget 'unset HISTFILE' which is often useful.
Some of these tricks are really stupid and for sure all old school
hackers know them (or don't use them because they have more eleet tricks).
But they are still useful in many cases and it should be interesting to
compare everyone's tricks.
----[ 5.3. The Underground yellow pages
Another interesting idea is to maintain a list of all the interesting
IP ranges in the world. This article will be called "Meaningful IP
ranges". We have already started to scan all the class A and B networks.
What is really interesting is all the IP addresses of agencies which are
supposed to spy us. Have a look at this site:
http://www.milnet.com/iagency.htm
However we don't have to focus our list on agencies, but on everything
which is supposed to be the power of the world.
It includes:
* All agencies of a country (China, Russia, UK, France, Israel...)
* All companies in a domain, for example all companies related to private
secret service or competitive intelligence or financial clearing or
private army (dyncorp, CACI, MPRI, Vinnel, Wackenhut, ...)
* Companies close to government (SAIC, Dassault, QinetiQ, Halliburton,
Bechtel...)
* Spying business companies (AT&T, Verizon, VeriSign, AmDocs, BellSouth,
Top Layer Networks, Narus, Raytheon, Verint, Comverse, SS8, pen-link...)
* Spoken Medias (Al Jazeera, Al Arabia, CNN, FOX, BBC, ABC, RTVi, ...)
* Written Medias or press agencies (NY/LA Times, Washington Post,
Guardian, Le monde, El Pais, The Bild, The Herald, Reuters, AFP, AP,
TASS, UPI...)
* All satellite maintainers (Intelsat, Eurosat, Inmarsat, Eutelsat,
Astra...)
* Suspect investment firms (Carlyle, In-Q-Tel...)
* Advanced research centers (DARPA, ARDA/DTO, HAARP...)
* Secret societies, fake groups and think-tanks (The Club of Rome, The
Club of Berne, Bilderberg, JASON group, Rachel foundation, CFR, ERT,
UNICE, AIPAC, The Bohemian Club, Opus Dei, The Chatman House, Church of
Scientology...)
* Guerilla groups, rebels or simply alternative groups (FARC, ELN, ETA,
KKK, NPA, IRA, Hamas, Hezbolah, Muslim Brothers...)
* Ministries (Defense, Energy, State, Justice...)
* Militaries or international polices (US Army, US Navy, US Air Force,
NATO, European armies, Interpol, Europol, CCU...)
* And last but not least: HONEYPOT!
It's obvious that not all ranges can be obtained. Some agencies are
registered under a false name in order to be more discrete (what about
ENISA, the European NSA?), others use some high level systems (VPN, tor
...) on top of normal networks or simply use communication systems other
than the Internet. But we would like to keep the most complete list we
can. But for this we need your help. We need the help of everyone in
the Underground who is ready to share knowledge. Send us your range.
We started to scan the A and B range with a little script we made,
but be sure that the more interesting range are in class C. Here is a
quick start of the list :
11.0.0.0 - 11.255.255.255 : DoD Network Information Center
144.233.0.0 - 144.233.255.255 : Defense Intelligence Agency
144.234.0.0 - 144.234.255.255 : Defense Intelligence Agency
144.236.0.0 - 144.236.255.255 : Defense Intelligence Agency
144.237.0.0 - 144.237.255.255 : Defense Intelligence Agency
144.238.0.0 - 144.238.255.255 : Defense Intelligence Agency
144.239.0.0 - 144.239.255.255 : Defense Intelligence Agency
144.240.0.0 - 144.240.255.255 : Defense Intelligence Agency
144.241.0.0 - 144.241.255.255 : Defense Intelligence Agency
144.242.0.0 - 144.242.255.255 : Defense Intelligence Agency
162.45.0.0 - 162.45.255.255 : Central Intelligence Agency
162.46.0.0 - 162.46.255.255 : Central Intelligence Agency
130.16.0.0 - 130.16.255.255 : The Pentagon
134.11.0.0 - 134.11.255.255 : The Pentagon
134.152.0.0 - 134.152.255.255 : The Pentagon
134.205.0.0 - 134.205.255.255 : The Pentagon
140.185.0.0 - 140.185.255.255 : The Pentagon
141.116.0.0 - 141.116.255.255 : Army Information Systems Command-Pentagon
6.0.0.0 - 6.255.255.255 : DoD Network Information Center
128.20.0.0 - 128.20.255.255 : U.S. Army Research Laboratory
128.63.0.0 - 128.63.255.255 : U.S. Army Research Laboratory
129.229.0.0 - 129.229.255.255 : United States Army Corps of Engineers
131.218.0.0 - 131.218.255.255 : U.S. Army Research Laboratory
134.194.0.0 - 134.194.255.255 : DoD Network Information Center
134.232.0.0 - 134.232.255.255 : DoD Network Information Center
137.128.0.0 - 137.128.255.255 : U.S. ARMY Tank-Automotive Command
144.252.0.0 - 144.252.255.255 : DoD Network Information Center
155.8.0.0 - 155.8.255.255 : DoD Network Information Center
158.3.0.0 - 158.3.255.255 : Headquarters, USAAISC
158.12.0.0 - 158.12.255.255 : U.S. Army Research Laboratory
164.225.0.0 - 164.225.255.255 : DoD Network Information Center
140.173.0.0 - 140.173.255.255 : DARPA ISTO
158.63.0.0 - 158.63.255.255 : Defense Advanced Research Projects Agency
145.237.0.0 - 145.237.255.255 : POLFIN ( Ministry of Finance Poland)
163.13.0.0 - 163.32.255.255 : Ministry of Education Computer Center Taiwan
168.187.0.0 - 168.187.255.255 : Kuwait Ministry of Communications
171.19.0.0 - 171.19.255.255 : Ministry of Interior Hungary
164.49.0.0 - 164.49.255.255 : United States Army Space and Strategic
Defense
165.27.0.0 - 165.27.255.255 : United States Cellular Telephone
152.152.0.0 - 152.152.255.255 : NATO Headquarters
128.102.0.0 - 128.102.255.255 : NASA
128.149.0.0 - 128.149.255.255 : NASA
128.154.0.0 - 128.154.255.255 : NASA
128.155.0.0 - 128.155.255.255 : NASA
128.156.0.0 - 128.156.255.255 : NASA
128.157.0.0 - 128.157.255.255 : NASA
128.158.0.0 - 128.158.255.255 : NASA
128.159.0.0 - 128.159.255.255 : NASA
128.161.0.0 - 128.161.255.255 : NASA
128.183.0.0 - 128.183.255.255 : NASA
128.217.0.0 - 128.217.255.255 : NASA
129.50.0.0 - 129.50.255.255 : NASA
153.31.0.0 - 153.31.255.255 : FBI Criminal Justice Information Systems
138.137.0.0 - 138.137.255.255 : Navy Regional Data Automation Center
138.141.0.0 - 138.141.255.255 : Navy Regional Data Automation Center
138.143.0.0 - 138.143.255.255 : Navy Regional Data Automation Center
161.104.0.0 - 161.104.255.255 : France Telecom R&D
161.105.0.0 - 161.105.255.255 : France Telecom R&D
161.106.0.0 - 161.106.255.255 : France Telecom R&D
159.217.0.0 - 159.217.255.255 : Alcanet International (Alcatel)
158.190.0.0 - 158.190.255.255 : Credit Agricole
158.191.0.0 - 158.191.255.255 : Credit Agricole
158.192.0.0 - 158.192.255.255 : Credit Agricole
165.32.0.0 - 165.48.255.255 : Bank of America
171.128.0.0 - 171.206.255.255 : Bank of America
167.84.0.0 - 167.84.255.255 : The Chase Manhattan Bank
159.50.0.0 - 159.50.255.255 : Banque Nationale de Paris
159.22.0.0 - 159.22.255.255 : Swiss Federal Military Dept.
163.12.0.0 - 163.12.255.255 : navy aviation supply office
163.249.0.0 - 163.249.255.255 : Commanding Officer Navy Ships Parts
164.94.0.0 - 164.94.255.255 : Navy Personnel Research
164.224.0.0 - 164.224.255.255 : Secretary of the Navy
34.0.0.0 - 34.255.255.255 : Halliburton Company
139.121.0.0 - 139.121.255.255 : Science Applications International
Corporation
...
The last one is definitely interesting; people interested by obscure
technologies should investigate in-depth SAIC stuff...
But anyway this list is rough and incomplete. We have a lot more
interesting ranges but not yet classed. It's just to show you how easy
it is to obtain.
If you think that the idea is funny, send us your range. We would be
pleased to include your range in our list. The idea is to offer the more
complete list we can for the next Phrack release.
----[ 5.4. The axis of knowledge
I'm sure that everyone knows "the axis of evil". This sensational
expression was coined some years ago by Mr. Bush to group wicked
countries (but was it really invented by the "president" or by m1st3r
Karl Rove??). We could use the same expression to name the evil subjects
that we would like to have in Phrack. But I will leave to Mr Powerful
Bush his expression and find a more noble one : The Axis of Knowledge.
So what is it about? Just list some topics that we would like to find
more often in Phrack. In the past years, Phrack was mainly focused on
exploitation, shellcode, kernel and reverse engineering. I'm not saying
that this was not interesting, I'm saying that we need to diversify the
articles of Phrack. Everyone agrees that we must know the advances in
heap exploitation but we should also know how to exploit new technologies.
------[ 5.4.1 New Technologies
To illustrate my point, we can take a quote from Phrack 62, the
profiling of Scut:
Q: What suggestions do you have for Phrack?
A: For the article topics, I personally would like to see more articles
on upcoming technologies to exploit, such as SOAP, web services,
.NET, etc.
We think he was right. We need more article on upcoming technology.
Hackers have to stay up to date. Low level hacking is interesting but we
also need to adapt ourselves to new technologies.
It could include: RFID, Web2, GPS, Galileo, GSM, UMTS, Grid Computing,
Smartdust system.
Also, since the name Phrack is a combination between Phreack and Hack,
having more articles related to Phreacking would be great. If you have
a look to all the Phrack issues from 1 to 30, the majority of articles
talked about Phreacking. And Phreacking and new technologies are closely
connected.
------[ 5.4.2 Hidden and private networks
We would like to have a detailed or at least an introduction to
private networks used by governments. It includes:
* Cyber Security Knowledge Transfer Network (KTN)
http://ktn.globalwatchonline.com
* Unclassified but Sensitive Internet Protocol Router Network
and
The Secret IP Router Network (SIPRN)
http://www.disa.mil/main/prodsol/data.html
* GOVNET
http://www.govnet.state.vt.us/
* Advanced Technology Demonstration Network
http://www.atd.net/
* Global Information Grid (GIG)
http://www.nsa.gov/ia/industry/gig.cfm?MenuID=10.3.2.2
...
There are a lot private networks in the world and some are not
documented. What we want to know is: how they are implemented, who
is using them, which protocols are being used (is it ATM, SONET...?),
is there a way to access them through the Internet, ....
If you have any information to share on these networks, we would be
very interested to hear from you.
------[ 5.4.3 Information warfare
Information warfare is probably one of the most interesting upcoming
subjects in recent years. Information is present everywhere and the one
who controls the information will be the master. USA already understands
this well, China too, but some countries are still late. Especially in
Europe. Some websites are already specialized in information warfare
like IWS the Information Warfare Site (http://www.iwar.org.uk)
You can also find some schools across the world which are specialized
in information warfare.
We, hackers, can use our knowledge and ingeniousness to do something
in this domain. Let me give you two examples. The first one is Black Hat
SEO (http://www.blackhatseo.com/). This subject is really interesting
because it combines a lot of subjects like development, hacking,
social engineering, linguistics, artificial intelligence and even
marketing. These techniques can be use in Information Warfare and we
would like the Underground to know more about this subject.
Second example, in a document entitled "Who is n3td3v?" the author
(hacker factor) use linguistic techniques in order to identify
n3td3v. After having analyzed n3td3v's text, the author claims that
n3td3v and Gobbles are probably the same person. N3td3v's answer was
to say that he has an A.I. program allowing him to generate a text
automatically. If he wants to sound like George Bush, he has simply
to find a lots of articles by him, give these texts to his A.I. and
the AI program will build a model representing the way that George
Bush write. Once the model created, he can give a text to the A.I.
and this text will be translated in "George Bush Speaking". Author's
answer (hacker factor) was to say it's not possible.
For working in text-mining, I can tell you that it's possible. The
majority of people working in the academic area are blind and when you
come to them with innovative techniques, they generally say you that you
are a dreamer. A simple implementation can be realized quickly with the
use of a grammar (that you can even induct automatically), a thesaurus
and markov chains. Add some home made rules and you can have a small
system to modify a text.
An idea could be to release a tool like this (the binary, not the
source). I already have the title for an article : "Defeating forensic:
how to cover your says" !
More generally, in information warfare, interesting subjects could be:
* Innovative information retrieval techniques
* Automatic diffusion of manipulated information
* Tracking of manipulated information
Military and advanced centers like DARPA are already interested in
these topics. We don't have to let governments have the monopoly on
these areas. I'm sure we can do much better than governments.
------[ 5.4.4 Spying System
Everyone knows ECHELON, it's probably the most documented spying
system in the world. Unfortunately, the majority of the information that
you can find on ECHELON is where ECHELON bases in the world are. There is
nothing about how they manipulate data. It's evident that they are using
some data-mining techniques like speech recognition, text-cleaning, topic
classification, name entity recognition sentiment detection and so on. For
this they could use their own software or maybe they are using some
commercial software like:
Retrievalware from Convera :
http://www.convera.com/solutions/retrievalware/Default.aspx
Inxight's products:
http://www.inxight.com/products/
"Minority Report" like system visualization:
http://starlight.pnl.gov/
...
For now we are like Socrates, all we know is that we know nothing.
Nothing about how they process data. But we are very interested to know.
In the same vein, we would like to know more on Narus
(http://www.narus.com/), which could be used as the successor of
CARNIVORE which was the FBI's tools to intercept electronic data. Which
countries use Narus, where it is installed, how is Narus processing
information...
Actually any system which is supposed to spy on us is interesting.
--[ 6. Conclusion
I'm reaching the end of my subject. Like with every articles some
people will agree with the content and some not. I'm probably not the best
person for talking about the Underground but I tried to resume in
this text all the interesting discussions I had for several years with a
lot of people. I tried to analyze the past and present scene and to give
you a snapshot as accurate as possible.
I'm not entirely satisfied, there's a lot more to say. But if this
article can already make you thinking about the current scene or
the Underground in general, that means that we are on the good way.
The most important thing to retain is the need to get back the
Underground spirit. The world changes, people change, the security world
changes but the Underground has to keep its spirit, the spirit which
characterized it in the past.
I gave you some ideas about how we could do it, but there are much
more ideas in 10000 heads than in one. Anyone who worry about the current
scene is invited to give his opinion about how we could do it.
So let's go for the wakeup of the Underground. THE wakeup. A wakeup
to show to the world that the Underground is not dead. That it will never
die, that it is still alive and for a long time.
Thats the responsibility of all hackers around the world.